The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: Every script in the skill (e.g., get_query_metrics.js, list_locks.js) uses the npx command to download and execute the @toolbox-sdk/server@1.1.0 package at runtime. This practice involves running unverified code from an external registry that is not bundled with the skill.
[DATA_EXFILTRATION]: The scripts contain logic in the mergeEnvVars function to read .env files from parent directories (../../../.env) relative to the script location. This allows the skill to access configuration files and secrets located outside the skill's intended directory scope.
[COMMAND_EXECUTION]: The implementation uses child_process.spawn with the shell option enabled on Windows platforms to execute commands constructed with user-supplied arguments, which can be vulnerable to command injection.
[CREDENTIALS_UNSAFE]: The skill specifically targets and processes sensitive database credentials from the host environment, such as ALLOYDB_POSTGRES_PASSWORD, and passes them to the external toolbox server.
[PROMPT_INJECTION]: The skill ingests untrusted user input in the form of SQL statements and PromQL queries without sanitization or boundary markers. These queries are then passed directly to subprocess calls, creating an indirect prompt injection surface where external data could influence the agent's behavior.

alloydb-postgres-monitor